Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Twitter’s Silence Deafening on State-Sponsored Attacks

A group of privacy advocates, who were notified by Twitter that their accounts were targeted in state-sponsored attacks, want some answers.

Twitter’s decision to notify users when their accounts are targeted in state-sponsored attacks earned its share of praise. But Twitter’s silence in terms of specifics about the attacks—whether by choice or gagged by a National Security Letter—has foisted some anxiety upon those who were notified.

A few of the estimated 50 recipients happened to be at the recent Chaos Communication Congress hacker conference (32C3) in Hamburg, Germany, and they commiserated not only over their mutual notifications, but also over a host of unanswered questions, foremost why were they targeted and by whom?

“I mean, Twitter is pretty public, what is there to find for a state sponsored actor?” said Anne Roth, a long time privacy champion in Germany who works for the parliamentary inquiry in that country investigating the Snowden revelations and how they affect Germany.

Roth, along with programmer and civil libertarian David Robinson of the Seattle Privacy Coalition, put up a website https://state-sponsored-actors.net/ that lists close to two dozen pressing and obvious questions the 32C3 gang of seven (the plea to Twitter has 30 signatories) had about their respective Twitter notifications.

A request for comment to Twitter was not returned. Twitter is not alone in starting to alert users targeted by state actors. Facebook did so beginning its notification service in October, followed by Twitter on Dec 14 and Yahoo eight days later.

“It’s just scary to think somebody wants to know something about me and I have no clue whether it’s the NSA, the German police or North Korea,” Roth said. Roth is no stranger to surveillance operations; in July 2007, her partner, journalist Andrej Holm, was arrested on suspicions of terrorism. Roth later learned the couple was under surveillance for more than a year and that Holm was implicated because language he used sociology publications matched patterns used by a group accused of a string of arson attacks in published rants about the attacks. Holm was released after three weeks, but Roth said they were watched for three years subsequently.

Like Roth, most of the others who met at 32C3 are heavily involved in advocating for privacy and the use of online tools that would thwart surveillance efforts such as Tor. Others such as Robinson worked for privacy or digital rights initiatives such as Seattle Privacy Coalition, the French Cryptoparty and La Quadrature du Net.

“It seems that most of the targets are some kind of activists (but not all), many are using Tor or are even related to the Tor project (but not all). I have no idea why I am a target.,” said Jens Kubieziel, a board member of TorServers.net who has also trained journalists and activists in privacy initiatives. “Maybe that’s enough to put me on some kind of list.”

The list of questions posed on https://state-sponsored-actors.net/ aim to cultivate answers about when the attacks happened, whether they’re ongoing, and what data the attackers were after beyond the phone numbers, IP addresses and email addresses of the targets. Those notified also want to know how the attacks were detected, what entities are behind them and more information about Twitter’s alerts, such as whether they’re manually or automatically sent, why the alert service was started now, and whether Twitter is working in concert with Facebook, Yahoo and Google.

Andrea Shepard, a Tor Project committer, was also among those notified on Dec. 11 and present at 32C3. She like the others wants the mystery cleared up and wonders too whether the attackers could be after geolocation and source IP data, in addition to direct messages and possibly deleted tweets—more data than Twitter cautioned recipients of the original notification.

“Twitter is frustratingly light on details other than this,” Shepard said. “What happened? What makes them believe it was state-sponsored, and if so, which state? What were they after? Most things on Twitter are public, after all. You don’t need to hack Twitter’s servers to scrape and archive someone’s tweets.”

The consensus among those who were notified is that Twitter’s silence is likely because of a gag order imposed by a National Security Letter, a powerful tool used by the U.S. government and law enforcement to compel telecommunications companies, technology providers and Internet service providers to turn over customer data. In December, a gag order on a 2004 NSL imposed upon Nicholas Merrill, owner of defunct ISP Calyx was lifted and for the first time the scope of a NSL was revealed. In Merrill’s specific case, the FBI not only sought detailed personal subscriber information, but browser history, IP addresses the subscriber connected to, email addresses, screen names and online aliases associated with the account, plus six months worth of online purchases. The FBI also sought a radius log, which includes cell tower-based tracking information.

“However that [Twitter stays] quiet now does probably more harm,” Kubieziel said. “Some people suspect that Twitter might have received some gag order and isn’t allowed to say anything. However, even if it was only some bad algorithm which misjudged the situation, it would be better to tell the truth. I think it would help many of us to sleep better.”

Shepard put it more succinctly.

“Mostly,” she said, “We just want Twitter to tell us what the heck is going on.”

Discussion

A company should NEVER respect a NSL and should instead fully publish the details of that letter for full transparency. "National security" has been so abused that governments should no longer have any rights whatsoever to use it, even for a legitimate cause. Guess they never read the kid who cried wolf.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.